Deploying the agent (MDM)

This section explains how to deploy the Forcepoint Mobile Endpoint Agent using Microsoft Intune, including adding the application, configuring certificate and VPN profiles, and assigning the required settings to manage iOS and iPadOS devices.

1. Step 1: Deploy Mobile Endpoint Agent application.
   1. Sign in to the Microsoft Intune admin center.
   2. Navigate to Apps > iOS/iPadOS > +Add. Opens the Select app type pane.
   3. Select iOS store app from the App type drop-down and click Select.
      
   4. On the Add App page, click Search the App Store and search for Forcepoint Mobile. Then select the application.
      
   5. On the App Information tab, you must populate the app metadata fields such as the name, description, publisher, applicable device type, and minimum operating system. You are only required to fill out the mandatory fields and click Next.

      Following is an example of information that you can enter in the mandatory fields:

      

   6. On the Assignment tab, under the Required section, choose groups that will have the solution force installed. This can be a user group, device group, all users, or all devices. Then click Next.
      
   7. On the Review + create tab, you can confirm the settings you entered. Hitting Create will then upload the application.
      
2. Step 2: Configure the Trusted Certificate profile.
   1. Download the Root CA Certificate from SCEPman.
      1. Open the SCEPman portal, navigate to SCEP Basics.
      2. From the Get Root CA cert option, download the CA certificate.

         

         Note: This is the Client Certificate, which is unique to each tenant.
   2. Create a new Trusted Certificate policy.
      Note: The steps outlined below have been validated using Microsoft Intune and SCEPman. While similar configurations may be possible with other MDM solutions, they have not been verified.
      1. In the Microsoft Intune admin center, navigate to Devices > Configuration > +Create > New Policy.
      2. Enter the following properties and then click Create:
         • Platform: Select iOS/iPadOS.
         • Profile type: Select Templates.
         • Template name: Select Trusted certificate.

         

      3. On the Basics tab, enter the following properties:
         • Name: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later.
         • Description: Enter a description for the profile. This setting is optional.

         Then click Next.

      4. On the Configuration settings tab, click the folder icon to upload your previously downloaded CA certificate from the SCEPman portal.

         

         Then click Next.

      5. On the Assignments tab, in the Included groups section, select the groups that will have the solution force installed. This can be a user group, device group, all users, or all devices. Then click Next.
      6. On the Review + create tab, you can confirm the settings you have entered. When you select Create, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.
3. Step 3: Configure SCEP Certificate profile.
   1. Navigate to +Create > New Policy.
   2. Enter the following properties and select Create:
      • Platform: Select iOS/iPadOS.
      • Profile type: Select Templates.
      • Template name: Select SCEP certificate.

      

   3. On the Basics tab, enter the following properties:
      • Name: Enter a descriptive name for the custom profile. Name your profiles so you can easily identify them later.
      • Description: Enter a description for the profile. This setting is optional.
   4. On the Configuration settings tab, configure the following settings:

      Table 1.

      Key	Value
      Certificate type	User
      Subject name format	CN={{UserPrincipalName}}
      Subject Alternative name	Attribute: User Principal Name Value: CN={{UserPrincipalName}}
      Certificate validity period	Define the certificate lifecycle duration.
      Key Usage	Digital signature and Key encipherment.
      Key Size	2048 bits
      Root Certificate	Select +Root Certificate and choose the Trusted certificate created before.
      Extended key usage	Assign Client Authentication (1.3.6.1.5.5.7.3.2), under Predefined values. The other fields will be filled out automatically.
      SCEP server URLs	Enter the Intune MDM URL obtained from the SCEPman portal.

      Following is an example of information that you can enter in the mandatory fields:

      

      Then click Review+save.

   5. On the Assignments tab, under the Included groups section, choose groups that will have the solution force installed. This can be a user group, device group, all users, or all devices. Then click Next.
   6. On the Review + create tab, you can confirm the settings you have entered. When you select Create, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.
4. Step 4: Configure the VPN profile.
   1. Navigate to +Create > New Policy.
   2. Enter the following properties and select Create:
      • Platform: Select iOS/iPadOS.
      • Profile type: Select Templates.
      • Template name: Select VPN.

      

   3. On the Basics tab, enter the following properties:
      • Name: Enter a descriptive name for the custom profile. Name your profiles so you can easily identify them later.
      • Description: Enter a description for the profile. This setting is optional.
   4. On the Configuration Settings tab, select the Custom VPN from the dropdown. Configure the following settings:

      Before entering any values, open the Forcepoint Data Security Cloud portal and navigate to Endpoint Management > Mobile Endpoint Agent > Global Settings. Copy and save the following values:

      

      For more details about these fields, see the Global Settings page.

      1. Base VPN

         Table 2.

         Key	Value
         Connection name	Enter a meaningful name for the VPN connection.
         VPN server address	VPN Server Address from the Global Settings page.
         Authentication method	Certificates
         Authentication certificate	Click Select a client authentication certificate and choose the SCEP certificate created before.
         VPN identifier	VPN Identifier from the Global Settings page.
         Enter key and value pairs for the custom VPN attributes	FP_BACKEND	Registration URL from the Global Settings page.
         	FP_INSTALLER_KEY	Installer Key from the Global Settings page.
         	FP_DS_TENANT_ID	Open the Forcepoint Data Security Cloud portal and navigate to User profile icon > User profile > Profile Information. Copy the Global ID from this page and enter it here.
         	FP_SKIP_STARTUP_SCREEN	Select true to enable auto-start, allowing the application to launch automatically without displaying the login page. Select false to allow users to manually log in by displaying the login page. Users will be required to enter their credentials to access the application.
         	FP_LOG_URL	Logging URL from the Global Settings page.

         Following is an example of information that you can enter in the mandatory fields:

         

      2. Automatic VPN

         Table 3.

         key	value
         Type of automatic VPN	On-demand VPN
         On-demand rules	Click the Add button to open the Add Row panel. Select Connect VPN from the I want to do the following drop-down and select All domains from the I want to restrict to drop-down.

         Following is an example of information that you can enter in the mandatory fields:

         

         And click Next.

   5. On the Assignments tab, under the Included groups section, choose groups that will have the solution force installed. This can be a user group, device group, all users, or all devices. Then click Next.
   6. On the Review + create tab, you can confirm the settings you have entered. When you select Create, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.
5. Step 5: Configure Forcepoint CA certificate.
   1. Navigate to Devices > Configuration > +Create > New Policy.
   2. Enter the following properties and then click Create:
      • Platform: Select iOS/iPadOS.
      • Profile type: Select Templates.
      • Template name: Select Trusted certificate.
   3. On the Basics tab, enter the following properties:
      • Name: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later.
      • Description: Enter a description for the profile. This setting is optional.

      Then click Next.

   4. On the Configuration settings tab, click the folder icon. Browse to the .cer file you downloaded from your Forcepoint Data Security Cloud portal and click Upload.

      You can find this certificate under Endpoint Management > Mobile Endpoint Agent > Global Settings > Download Forcepoint CA Certificate.

      

      For more details, see the Global Settings page.

   5. On the Assignments tab, under the Included groups section, choose groups that will have the solution force installed. This can be a user group, device group, all users, or all devices. Then click Next.
   6. On the Review + create tab, you can confirm the settings you have entered. When you select Create, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.